In the EU, where the GDPR has been in place since 2016, news of million-dollar fines has almost become old news. But in the more business-friendly US where data privacy laws are still a relatively new phenomenon, this recent enforcement action merits close inspection.
We’ll explain the important features of this enforcement action, explore its implications, and identify the important lessons that businesses should take away from the case.
The facts of the enforcementOn August 24th, California Attorney General Rob Bonta announced that Sephora had settled with his office for $1.2 million after violating the CCPA. Sephora had failed to:
- Treat its transfer of consumer data as a “sale”
- Process consumers’ opt-outs of that sale as indicated by a universal opt-out signal
- Address these violations within a 30-day period
- Enable consumers to opt out of the sale of their personal information, including through universal opt-out signals
- Update its contracts to meet CCPA standards
- Report to the California AG about its efforts to meet the above requirements
With the exception of the reporting, these actions were all already required by the CCPA.
What does this all mean in plain English?Enforcement actions like this one can be doubly intimidating. Anybody would be concerned over the potential to receive a $1.2 million fine. But when the exact reasons why that fine came about are shrouded in the often-obscure language used by legal experts, it can create even more uncertainty about what needs to be done to become compliant. That’s why we’ll explore exactly how Sephora violated the CCPA in detail.
Failing to treat its transfer of consumer data as a “sale”Sephora was using data tracking technologies on its website that were sending consumers’ data to external ad tech and analytics companies. This is a common practice that many businesses employ and can be done in a compliant way. However, the way that Sephora was collecting and disseminating this consumer information would be considered a “sale” under the CCPA.
That means Sephora was supposed to alert consumers to this sale and give the choice of opting out. If its customers opted out, then Sephora was supposed to block the data trackers, thereby preventing the collection of consumer data by these external ad tech and analytics companies.
Even though they weren’t offering or honoring consumer opt-outs, this could have been compliant if Sephora had the right contractual provisions in place with the ad tech and analytics vendors it was giving customer data. Under the CCPA, Sephora’s vendors would be considered “service providers.” If a business works with a service provider under the CCPA, then it needs to enter into an agreement that ensures the service provider will treat consumer data in a compliant manner.
When this agreement is in place, data transferred to a service provider is exempt from the definition of “sale,” which means that the company is not required to pass along a consumer’s opt-out request.
The violation boils down to this: Sephora had the option of either setting up its contracts appropriately with its ad tech and analytics vendors or they could offer consumers a means of opting out and act on those opt-out requests accordingly. However, they did neither.
Failing to process consumers’ opt-outs via universal privacy controlsSephora wasn’t offering consumers a way to opt out of the sale of their information on their website, but consumers were still able to signal their lack of consent using universal privacy controls like the Global Privacy Control, or GPC. The GPC is a browser extension that enables internet users to indicate their privacy preferences one time and then apply those preferences to every site that they visit.
So, when users indicated that they did not want their personal information to be sold using GPC, Sephora was supposed to act on that signal. However, it did not. There was some initial confusion about whether businesses needed to honor the GPC, so it’s not surprising that Sephora failed to do so—we’ll touch more on this specific issue later on in the article.
As we mentioned above, this wouldn’t have mattered so long as Sephora was notifying its consumers about the data collection and had its service provider contracts set up the right way. Because Sephora didn’t have its contracts in order and because the transfer of data qualified as a “sale” under CCPA, its failure to process consumer opt-out requests was a violation of CCPA.
Failing to address these issues within a 30-day periodBecause the CCPA and other data privacy laws are fairly new in the US, these laws often feature a cure period. The CCPA, for instance, features a 30-day cure period. That means when the AG’s office chooses to pursue an enforcement action, they’ll inform the business that it’s in violation of the law, and they’ll give the business 30 days to address the violations. It’s a sort of grace period that gives businesses the opportunity to adapt to the new regulations.
The California AG’s office has signaled that they’ve given these 30-day notices to other businesses before Sephora. However, those other businesses addressed their violations in time; Sephora did not.
We don’t know the reasons why Sephora failed to act within the cure period. It could have been the case that it wasn’t able to renegotiate its contracts with service providers to make them compliant. Or, the data it was collecting may have been too critical to stop collecting. It might have even decided to simply ignore the AG’s notice. Whatever the cause, Sephora didn’t address its violations and was consequently hit with the $1.2 million penalty.
It should be noted that the CCPA’s right to cure is disappearing as of January 1, 2023, when the CPRA goes into effect (which does not feature a cure period). Other state data privacy laws similarly have an expiration date on their right to cure. AGs may still issue notices to cure at their discretion, but that will ultimately be up to the AGs and should not be counted on.
Some noteworthy details
The enforcement action hinged upon the CCPA’s definition of “sale”Readers who have been paying attention to the data privacy space will know that the CCPA is being amended by the CPRA in order to address certain ambiguities and gaps. One of those amendments is to ensure that businesses understand what data transfer activities are regulated under the law.
The CCPA was, unfortunately, a little vague regarding its definition of the word “sale.” It defined a sale as:
selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means a consumer's personal information for monetary or other valuable consideration.
However, few would intuitively consider the act of merely making information available to another party to be a “sale.” Sephora had hired the services of ad tech and analytics companies to deliver targeted advertisements and provide them details about their market; the fact that it transferred personal information to these companies was incidental to accomplishing those goals.
Sephora might have thought that since it wasn’t literally exchanging personal information for money, it wasn’t actually selling personal information. Under the CCPA, however, it was still considered to be selling the data and therefore needed to have the right contractual provisions in place.
The CPRA clarifies the intention behind the law by regulating the “share” of data as well, which it defines as:
renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business.
Furthermore, the CPRA explicitly discusses targeted advertising, which it refers to as “cross-context behavioral advertising.” Sephora was sharing its consumers’ data to outside organizations for targeted advertising purposes—while this activity is indeed regulated by the CCPA, the CPRA highlights and clarifies that businesses can only engage in these activities if they have consumer consent and the right safeguards in place.
Confusion over universal opt-outs clarifiedNeither the CCPA nor the CPRA explicitly states that businesses must honor universal opt-out preference signals like the GPC, merely that businesses must honor opt-out requests in general. The California AG clarified, however, that this includes the GPC.
On its FAQ page on the CCPA, the California AG’s office states, “Opting out of the sale of personal information should be easy for consumers, and the GPC is one option for consumers who want to submit requests to opt-out of the sale of personal information via a user-enabled global privacy control.”
Being required to honor the GPC was a matter of debate prior to the AG’s guidance, so it isn’t difficult to see how Sephora could have missed the need to act on this signal. It serves as a reminder that contemporary data privacy regulations are constantly changing and must be regularly monitored.
Here are the other state laws’ positions on the universal opt-out signals:
- Colorado explicitly calls out the need to honor universal opt-out signals and goes online July 1, 2024.
- Connecticut also requires that businesses recognize universal opt-out signals starting January 1, 2025.
- Utah does not reference universal opt-out signals.
- Virginia does not reference universal opt-out signals.
The AG has thrown down the gauntletIn the press release that announced the action, California AG Rob Bonta stated:
Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale. I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.
That’s a strongly worded statement, and it demonstrates that AG Bonta understands the importance of this action. As the first enforcement action in not only California, but also the United States, the Sephora settlement will be remembered. Just consider this blog post—we likely won’t spend the time to dissect the third or fifth or tenth penalty levied under the CCPA, but we absolutely will examine the first. The AG’s statement is designed to convey that this law has teeth, and that data privacy will be enforced in California, if not in the whole of the United States.
What we’ve heard from our partnersThis settlement made waves that reverberated far beyond the data privacy world. As a data privacy vendor, the businesses we partner with have naturally come to us to talk through the Sephora case.
For example, we work with a company called Tadpull, both as a customer of their marketing services and as their compliance vendor. Here’s what Tadpull’s Chief Data Officer, Eulalie Cook, had to say on the enforcement:
"The Sephora case marks a pivotal shift in terms of enforcement of privacy regulations in ecommerce. While CCPA is not new, this is the first fine that has been doled out and it serves as a cautionary tale for merchants.”
The California AG made as much clear in his statement. In addition to the warning issued above, the AG noted that his office has “issued notices to a wide array of businesses alleging noncompliance with the CCPA. Notices to cure have been issued to major corporations in the tech, healthcare, retail, fitness, data brokerage, and telecom industries, among others.” As we’ve seen with Sephora, even if your business receives a notice to cure, it isn’t certain that you’ll be able to address violations in time.
It’s far better to be compliant and avoid such a notice altogether than it is to rapidly get your house in order before the cure period expires. We’ve discussed some of the compliance requirements of the CCPA and CPRA in this blog, but knowing what your requirements are and actually fulfilling them are two different things.
“Compliance is particularly tricky for ecommerce brands that don't have an in-house legal team,” said Eulalie, “yet the time and cost associated with a lawsuit underscores the importance of avoiding a violation. Tadpull has found Osano presents a compelling solution for legal expertise and serves as an easy-to-implement solution to achieve compliance."
How Osano addresses the violations in this caseAs a consent management platform vendor, we were naturally invested in whether we solve for the sorts of violations that the California AG is targeting. When looking at the details of the AG’s decision, we found several ways Osano could have prevented these violations.
Notifying customers about the sale or share of their personal informationAs a consent management platform (CMP), Osano functions by classifying the data trackers running on your website and blocking or permitting them based on the user’s consent preferences.
Sephora failed to disclose to customers that it was selling their personal information. While we don’t know the exact reason, it may be because Sephora didn’t realize that the data trackers active on their website were transferring data in a way that constituted a sale under the CCPA.
CMPs like Osano enable you to discover the trackers that are active on your website and to understand how they transfer data. In Osano’s case specifically, the CMP automatically identifies common trackers (including those that transfer data to ad tech service providers, such as those Sephora relied upon) and provides support and guidance to enable Osano users to identify more niche trackers.
What’s more, our CMP automatically displays the required disclosures to users based on their location and their language preferences. This ensures that users understand what data you’re collecting, how you process that data, and with whom you share it.
Honoring consumers’ consent preferences (including GPC)Managing, recording, and acting upon consumers’ consent preferences regardless of the jurisdiction is the core function that a CMP provides. Different data privacy laws have different requirements for consent, each of which Osano supports.
Sephora needed to provide consumers with a prominent and clear means of opting out of the sale of their personal information, and it needed to honor requests made by universal opt-out controls like the GPC. Osano can meet these needs in a few ways:
- Osano streamlines and manages the data subject access rights (DSAR) process. If users want to opt out of the sale of their personal information under the CCPA, they can make a DSAR request to your business to that effect.
- Osano also supports the GPC as a means for users to indicate their "do not sell" preferences.
Addressing violationsWe can’t adjust a business’s internal practices in response to a notice from the California AG, but we can do everything possible to prevent those violations from ever occurring in the first place. In fact, we’re so confident that Osano can help your business avoid data privacy violations, we pledge to cover up to $200k in fines and penalties that arise from the use of our platform.
The Sephora enforcement has been something of a wake-up call to the business community, which is exactly what the California AG intended. If it’s sparked concern about your business’s compliance status, schedule a demo with an Osano team member. We’ll be happy to explore your challenges and identify any ways we can help.